CloudBees Security Advisory 2021-11-04

SECURITY-2455 / CVE-2021-21685, CVE-2021-21686, CVE-2021-21687, CVE-2021-21688, CVE-2021-21689, CVE-2021-21690, CVE-2021-21691, CVE-2021-21692, CVE-2021-21693, CVE-2021-21694, CVE-2021-21695

The agent-to-controller security subsystem limits which files on the Jenkins controller can be accessed by agent processes.

Multiple vulnerabilities in the file path filtering implementation of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier allow agent processes to read and write arbitrary files on the Jenkins controller file system, and obtain some information about Jenkins controller file systems.

• SECURITY-2427 / CVE-2021-21685: FilePath#mkdirs does not check permission to create parent directories.

• SECURITY-2444 / CVE-2021-21686: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories.

• SECURITY-2446 / CVE-2021-21687: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link.

• SECURITY-2484 / CVE-2021-21688: FilePath#reading(FileVisitor) does not reject any operations, allowing users to have unrestricted read access using certain operations (creating archives, #copyRecursiveTo).

• SECURITY-2485 / CVE-2021-21689: FilePath#unzip and FilePath#untar were not subject to any access control.

• SECURITY-2486 / CVE-2021-21690: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path.

• SECURITY-2531 / CVE-2021-21691: Creating symbolic links is possible without the symlink permission.

• SECURITY-2538 / CVE-2021-21692: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path.

• SECURITY-2539 / CVE-2021-21693: When creating temporary files, permission to create files is only checked after they’ve been created.

• SECURITY-2541 / CVE-2021-21694: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions.

• SECURITY-2542 / CVE-2021-21695: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.

We expect that most of these vulnerabilities have been present since SECURITY-144 was addressed in the 2014-10-30 security advisory.

Jenkins 2.319, LTS 2.303.3 addresses these security vulnerabilities.

• SECURITY-2427 / CVE-2021-21685: FilePath#mkdirs checks permission to create parent directories.

• SECURITY-2444 / CVE-2021-21686: File path filters canonicalize paths, preventing operations from following symbolic links to outside allowed directories.

• SECURITY-2446 / CVE-2021-21687: FilePath#untar checks permission to create symbolic links when unarchiving a symbolic link.

• SECURITY-2484 / CVE-2021-21688: FilePath#reading(FileVisitor) correctly rejects operations if they operate on files outside allowed directories.

• SECURITY-2485 / CVE-2021-21689: FilePath#unzip and FilePath#untar are now subject to access control.

• SECURITY-2486 / CVE-2021-21690: Agent processes are no longer able to completely bypass file path filtering by wrapping the file operation in an agent file path.

• SECURITY-2531 / CVE-2021-21691: Creating symbolic links now correctly checks the symlink permission.

• SECURITY-2538 / CVE-2021-21692: The operations FilePath#renameTo and FilePath#moveAllChildrenTo check both read and delete permissions on the source path.

• SECURITY-2539 / CVE-2021-21693: When creating temporary files, permission to create files is checked befire they are created based on an artificial path.

• SECURITY-2541 / CVE-2021-21694: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant check stat permission. FilePath#get*DiskSpace methods are no longer allowed to be executed by an agent.

• SECURITY-2542 / CVE-2021-21695: FilePath#listFiles checks stat permission on files it returns, preventing listing files outside allowed directories.

Important: As some common operations are now newly subject to access control, it is expected that plugins sending commands from agents to the controller may start failing. Additionally, the newly introduced path canonicalization means that instances using a custom builds directory (Java system property jenkins.model.Jenkins.buildsDir) or partitioning JENKINS_HOME using symbolic links may fail access control checks. See the documentation for how to customize the configuration in case of problems.

Note: If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, please refer to this knowledge base article to learn about your options for a workaround.

SECURITY-2423 / CVE-2021-21696

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not limit agent read/write access to the libs/ directory inside build directories when using the FilePath APIs. This directory is used by the Pipeline: Shared Groovy Libraries Plugin to store copies of shared libraries.

This allows attackers in control of agent processes to replace the code of a trusted library with a modified variant, resulting in unsandboxed code execution in the Jenkins controller process.

Jenkins 2.319, LTS 2.303.3 prohibits agent read/write access to the libs/ directory inside build directories.

Note: If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, please refer to this knowledge base article to learn about your options for a workaround.

Important: It is not easily possible to customize the file access rules to prohibit access to the libs/ directory specifically, as built-in rules (granting access to <BUILDDIR> contents) would take precedence over a custom rule prohibiting access.

SECURITY-2428 / CVE-2021-21697

Agents are allowed some limited access to files on the Jenkins controller file system. The directories agents are allowed to access in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier include the directories storing build-related information, intended to allow agents to store build-related metadata during build execution. As a consequence, this allows any agent to read and write the contents of any build directory stored in Jenkins with very few restrictions (build.xml and some Pipeline-related metadata).

Jenkins 2.319, LTS 2.303.3 prevents agents from accessing contents of build directories unless it’s for builds currently running on the agent attempting to access the directory.

Note: Update Pipeline: Nodes and Processes to version 2.40 or newer for Jenkins to associate Pipeline node blocks with the agent they’re running on for this fix.

Note: If you are unable to immediately upgrade to Jenkins 2.319, LTS 2.303.3, please refer to this knowledge base article to learn about your options for a workaround.

SECURITY-2506 / CVE-2021-21698

Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

Subversion Plugin 2.15.1 checks for the presence of and prohibits directory separator characters as part of the file name, restricting it to the intended directory.

BEE-8344

The CasC bundle access token that is used to authenticate the request between the Controller and the Operations Center was checked in non-constant time, resulting in a potential security vulnerability.

This issue has been resolved. The Controller CasC bundle access token is now checked using a constant time comparison.

BEE-8354

An incorrect Callable implementation was allowed to run arbitrary code on Controllers under specific circumstances.

This is fixing the Callable implementation and the code is now secured.

BEE-8591

Security fix for the remoting communication from an agent to a Controller.

BEE-8604

This includes a security hardening in the Controller to Controller communication in a CBCI cluster.

BEE-9031

There was an insecure Java deserialization call in operations-center-context.

Deserialization is now secure with this fix.

DEVOPTICS-1698

Implementations of messages in the remoting protocol (Callables) are expected to implement a role check restricting at which side of a communication channel they can be executed. CloudBees DevOptics Plugin 1.1934 and earlier implemented a Callable with a no-op (empty) role check, allowing its transmission to and execution on any side of any remoting communication channel.

This allows attackers able to control agents to obtain the (SHA-1, SHA-256, MD5, etc.) hashes of any file on the Jenkins controller. Additionally, attackers with Overall/Administer permission on a connected controller are able to obtain the (SHA-1, SHA-256, MD5, etc.) hashes of any file on the operations center.

CloudBees DevOptics Plugin 1.1973 limits execution of the Callable to agents.

• SECURITY-2455: Critical

• SECURITY-2423: High

• SECURITY-2428: High

• SECURITY-2506: Medium

• DEVOPTICS-1698: Medium

• BEE-8354: High

• BEE-8591: High

• BEE-8604: High

• BEE-9031: High

• BEE-8344: Low

• CloudBees Traditional Platforms should be upgraded to 2.303.3.3

• CloudBees Cloud Platforms should be upgraded to 2.303.3.3

• CloudBees Jenkins Enterprise should be upgraded to 2.303.3.3 the Managed Masters and Operations Center

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z)) should be upgraded to 2.303.3.3 version

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.277.x.0.z)) should be upgraded to 2.277.43.0.2 version

• Jenkins weekly should be updated to version 2.319

• Jenkins LTS should be updated to version 2.303.3

• Subversion Plugin should be updated to version 2.15.1

• DevOptics Plugin should be updated to version 1.1973